Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Network-reachable EBS web tier (AV:N), Oracle calls it easily exploitable (AC:L), requires a low-privileged EBS account (PR:L), no user interaction, high confidentiality and only partial availability impact with no integrity change.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Asset Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Asset Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Asset Management. CVSS 3.1 Base Score 7.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L).
AnalysisAI
Information disclosure and partial denial of service in Oracle E-Business Suite Enterprise Asset Management (versions 12.2.3 through 12.2.15) allows a low-privileged authenticated attacker with HTTP network access to read all data accessible to the Enterprise Asset Management module and degrade its availability. Oracle rates the issue 7.1 CVSS 3.1 and describes it as easily exploitable. No public exploit identified at time of analysis and the CVE is not currently listed in CISA KEV.
Technical ContextAI
Oracle E-Business Suite is Oracle's flagship integrated ERP suite, and Enterprise Asset Management (EAM) is the module covering asset lifecycle, work orders, preventive maintenance and Internal Operations. The flaw sits in the Internal Operations component of EAM and is reachable over HTTP via the standard EBS web tier, which fronts Oracle Application Server / WebLogic and the underlying Oracle Database. No CWE was assigned by Oracle in the advisory, but the impact profile (C:H/I:N/A:L) is consistent with an authorization or access-control gap that exposes EAM-scoped data and allows partial resource exhaustion rather than a memory-corruption or injection bug. The single CPE provided (cpe:2.3:a:oracle_corporation:oracle_enterprise_asset_management) confirms the EAM module is the affected asset class.
RemediationAI
Patch available per vendor advisory: apply the fixes bundled in the Oracle Critical Patch Update of June 2026 documented at https://www.oracle.com/security-alerts/cspujun2026.html, which covers EBS 12.2.3 through 12.2.15. Until the CPU can be applied, restrict network reachability of the EBS web tier so that only trusted internal users can hit EAM URLs (for example via reverse-proxy URL filtering or WAF rules blocking /OA_HTML/ EAM endpoints), tighten EBS responsibility assignments so that low-privileged accounts do not have EAM responsibilities, and increase monitoring of HTTP access logs for anomalous EAM requests; note that URL filtering can break legitimate maintenance workflows and removing EAM responsibilities will disable EAM functionality for affected users. Rotate or review credentials of any low-privileged accounts that could already have abused the flaw, since exploitation leaves no integrity trace.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37248